Perspectives on Vulnerabilities, ERM, and Audit Services

 對(duì)漏洞、ERM和審計(jì)服務(wù)的看法
 

A fourth Industrial Revolution is underway globally; a digital revolution driven by the rapid, wide-scale deployment of digital technologies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.

第四次工業(yè)革命正在全球范圍內(nèi)進(jìn)行，一場(chǎng)由快速、大規(guī)模的數(shù)字技術(shù)所推動(dòng)的數(shù)字革命。體現(xiàn)在高速移動(dòng)互聯(lián)網(wǎng)功能，人工智能（AI）和機(jī)器學(xué)習(xí)等領(lǐng)域。云計(jì)算是這種轉(zhuǎn)變的先鋒。因此，各種不同規(guī)模、部門(mén)和地域的組織都非常迅速地增加了對(duì)云計(jì)算的使用。根據(jù)Gartner（2019）的數(shù)據(jù)，超過(guò)三分之一的企業(yè)將云投資視為三大優(yōu)先項(xiàng)目。公共云服務(wù)市場(chǎng)預(yù)計(jì)到2020年將達(dá)到驚人的2660億美元。

One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: “becoming more engaged with their customers, empowering their employees, optimizing how they run their business operations and transforming the products and services they offer using digital content.” Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure; streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.

云計(jì)算的擴(kuò)散和廣泛應(yīng)用的一個(gè)驅(qū)動(dòng)力是當(dāng)前的數(shù)字化轉(zhuǎn)型。在2016年的一次演講中，微軟首席執(zhí)行官薩蒂亞·納德拉（Satya Nadella）提出了對(duì)數(shù)字化轉(zhuǎn)型的持久性描述：“與客戶更加緊密地接觸，增強(qiáng)員工的能力，優(yōu)化他們的業(yè)務(wù)運(yùn)營(yíng)方式，并利用數(shù)字內(nèi)容改變他們提供的產(chǎn)品和服務(wù)”。從云計(jì)算的角度來(lái)看，這些好處包括對(duì)成本高昂且難以更新和管理的內(nèi)部IT基礎(chǔ)設(shè)施的管理和業(yè)務(wù)外包；優(yōu)化和擴(kuò)展存儲(chǔ)、軟件和應(yīng)用程序支持；提高速度和處理能力；降低成本。因此，各種規(guī)模、地域和行業(yè)的組織，包括會(huì)計(jì)師事務(wù)所及其客戶，都在開(kāi)發(fā)自己的私有云，或者從云服務(wù)提供商（CSP）購(gòu)買(mǎi)公共云服務(wù)，比如微軟Azure和Amazon AWS。

While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon customers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidentiality, unauthorized access, and system availability failures.

雖然這些潛在的好處是引人注目的，但市場(chǎng)情報(bào)顯示，云計(jì)算加劇了風(fēng)險(xiǎn)，并創(chuàng)造了新的和意想不到的風(fēng)險(xiǎn)。例如，云安全漏洞暴露了多達(dá)1400萬(wàn)美國(guó)Verizon客戶的姓名、地址和賬戶詳細(xì)信息。在這種情況下，不難想象由于當(dāng)前的冠狀病毒（COVID-19）大流行造成的意外中斷和遠(yuǎn)程辦公的快速轉(zhuǎn)換，可能會(huì)出現(xiàn)與云相關(guān)的潛在網(wǎng)絡(luò)安全漏洞和服務(wù)故障。一方面，因?yàn)樵朴?jì)算能夠立即、快速、無(wú)縫地訪問(wèn)必要的數(shù)據(jù)、軟件和應(yīng)用程序，使得工作人員在意外情況下過(guò)渡到遠(yuǎn)程工作成為可能。另一方面，這種意外的中斷和快速轉(zhuǎn)換加劇了現(xiàn)有的風(fēng)險(xiǎn)，并在員工從遠(yuǎn)程位置訪問(wèn)數(shù)據(jù)時(shí)產(chǎn)生了新的風(fēng)險(xiǎn)；例如，數(shù)據(jù)機(jī)密性遭到破壞、未經(jīng)授權(quán)的訪問(wèn)以及系統(tǒng)可用性故障。

The Cloud’s Impact

云帶來(lái)的影響

The National Institute of Standards and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized servers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.

美國(guó)國(guó)家標(biāo)準(zhǔn)與技術(shù)研究所（NIST）將云計(jì)算定義為一種能夠按需訪問(wèn)可配置計(jì)算資源（如網(wǎng)絡(luò)、服務(wù)器、存儲(chǔ)應(yīng)用程序、服務(wù)）的共享池的方法，這些資源可以快速調(diào)配和發(fā)布。簡(jiǎn)單地說(shuō)，云就是分布在全球各地的大型服務(wù)器集群（例如云農(nóng)場(chǎng)）。云農(nóng)場(chǎng)由亞馬遜AWS等CSP供應(yīng)商運(yùn)營(yíng)，這些供應(yīng)商提供一系列托管服務(wù)。

Exhibit 2

Cloud Transparency

云透明度

The KPMG Audit Committee Institute highlighted “understanding technology’s impact”—with a reference to cloud computing—as one of their seven items to consider for the audit committee’s 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:

KPMG審計(jì)委員會(huì)研究所（KPMG Audit Committee Institute）強(qiáng)調(diào)了“理解技術(shù)的影響”，并將云計(jì)算作為審計(jì)委員會(huì)2020年議程中需要考慮的七個(gè)項(xiàng)目之一。在這種情況下，組織需要透明化CSP供應(yīng)商的性質(zhì)、范圍和位置以及他們的云活動(dòng)的性能。

· What is our enterprise-wide cloud footprint?

· 我們企業(yè)的云足跡是什么？

o Do we have an inventory of cloud activities?

o 我們有云計(jì)算活動(dòng)的清單嗎？

o Where are our servers, software, and applications?

o 我們的服務(wù)器、軟件和應(yīng)用程序在哪里？

· Who is responsible and accountable for cybersecurity, system recovery, and controls?

· 誰(shuí)負(fù)責(zé)網(wǎng)絡(luò)安全、系統(tǒng)恢復(fù)和控制？

o Is there a heat-map valuing data stored in private and public clouds, by location?

o 是否有熱圖可以按位置對(duì)存儲(chǔ)在私有和公共云中的數(shù)據(jù)進(jìn)行評(píng)估？

o Are shared-responsibilities for performance, availability, cybersecurity, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?

o 服務(wù)水平協(xié)議（SLA）中是否明確規(guī)定并正式規(guī)定了性能、可用性、網(wǎng)絡(luò)安全和第三方保證的共同責(zé)任？

o Which global jurisdiction regulations are we subject to?

o 我們要遵守哪些全球管轄法規(guī)？

o Do management, the board, CSPs, and auditors understand cloud risks?

o 管理層、董事會(huì)、CPS和審計(jì)師了解云風(fēng)險(xiǎn)嗎？

o What are the CSP contractual requirements and SLA terms and commitments?

o CSP合同要求和SLA條款和承諾是什么？

· Who is accessing our data, and why? Can they see our draft 10-K and trade secrets?

· 誰(shuí)在訪問(wèn)我們的數(shù)據(jù)，為什么？他們能看到我們的10-K草案和商業(yè)機(jī)密嗎？

o Do our primary CSPs subcontract our cloud needs to other CSP subcontractors (i.e., third- and fourth-party risk)?

o 我們的主要CSP是否將我們的云需求分包給其他CSP分包商（即第三方和第四方風(fēng)險(xiǎn)）？

o Are other jurisdictions accessing our data and surveilling our activities?

o 其他司法管轄區(qū)是否在訪問(wèn)我們的數(shù)據(jù)并監(jiān)督我們的活動(dòng)？

o Do accountants, lawyers, and other vendors safeguard access and storage of our data?

o 會(huì)計(jì)師、律師和其他供應(yīng)商是否保護(hù)我們數(shù)據(jù)的訪問(wèn)和存儲(chǔ)？

· Is shared responsibility for risk management strategy, methods, and skills designed properly and operating effectively?

· 風(fēng)險(xiǎn)管理策略、方法和技能的共同責(zé)任是否設(shè)計(jì)得當(dāng)并有效運(yùn)作？

o Are we monitoring breaches and system failures on a continuous basis?

o 我們是否持續(xù)監(jiān)控違規(guī)和系統(tǒng)故障？

o Are stakeholders effective and accountable to those who share responsibility for governance?

o 利益相關(guān)者是否有效地并對(duì)那些共同承擔(dān)治理責(zé)任的人負(fù)責(zé)？

o Are we conducting a top-down enterprise risk management assessment?

o 我們是否正在進(jìn)行自上而下的企業(yè)風(fēng)險(xiǎn)管理評(píng)估？

Adapting to Digital Transformation

適應(yīng)數(shù)字化轉(zhuǎn)型

The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud computing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and locations of their cloud activities; conduct a holistic, enterprise-wide, what-can-go-wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud computing resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an understanding of the implications of cloud computing on their clients’ business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firm’s QC processes and compliance.

云計(jì)算的出現(xiàn)和商務(wù)數(shù)字化轉(zhuǎn)型的初現(xiàn)，對(duì)會(huì)計(jì)師事務(wù)所提供的傳統(tǒng)技術(shù)和服務(wù)產(chǎn)生了深遠(yuǎn)的影響。采用或利用云計(jì)算的組織應(yīng)獲得其云活動(dòng)清單的持續(xù)更新。包括其云活動(dòng)的性質(zhì)、范圍和位置；進(jìn)行全面的、企業(yè)范圍的、可能出錯(cuò)的分析，包括與云生態(tài)系統(tǒng)相關(guān)的網(wǎng)絡(luò)安全風(fēng)險(xiǎn)和單點(diǎn)故障風(fēng)險(xiǎn)；執(zhí)行云計(jì)算彈性分析，包括云性能、安全性和變更管理風(fēng)險(xiǎn)的ERM分析。適應(yīng)數(shù)字顛覆和轉(zhuǎn)型的會(huì)計(jì)師事務(wù)所必須了解云計(jì)算對(duì)客戶業(yè)務(wù)和控制環(huán)境的影響；分析重大錯(cuò)報(bào)風(fēng)險(xiǎn)和網(wǎng)絡(luò)安全風(fēng)險(xiǎn)；評(píng)估云控制；并管理注冊(cè)會(huì)計(jì)師事務(wù)所的QC流程和合規(guī)性的“云通知”變更。